Sub-linear Blind Ring Signatures without Random Oracles

Size: px

Start display at page:

Download "Sub-linear Blind Ring Signatures without Random Oracles"

Joan Webb
5 years ago
Views:

1 Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. Abstract. Ring signatures allow a signer to anonymously sign a message on behalf of a set of arbitrarily chosen signers called a ring. Blind signatures, on the other hand, allow a user to obtain a signature on a message while maintaining the privacy of the message. Blind ring signatures combine properties of both primitives and hence provide a strong notion of anonymity where the privacy of both the identity of the signer and the message is preserved. Blind ring signatures find applications in various systems; including multiauthority e-voting and distributed e-cash systems. In this paper we provide the first provably secure blind ring signature construction that does not rely on random oracles, which solves an open problem raised by Herranz and Laguillaumie at ISC We present different instantiations all of which are round-optimal (i.e. have a two-move signing protocol), yield sub-linear size signatures, and meet strong security requirements. In order to realize our constructions efficiently, we construct a sub-linear size set membership proof which works in the different bilinear group settings, which may be of independent interest. As a secondary contribution, we show how to generically combine our set membership proof with any secure signature scheme meeting some conditions to obtain ring signatures whose security does not rely on random oracles. All our constructions work over the efficient prime-order bilinear group setting and yield signatures of sub-linear size. In addition, our constructions meet strong security requirements: namely, anonymity holds under full key exposure and unforgeability holds against insider-corruption. Finally, we provide some example instantiations of the generic construction. 1 Introduction Background. A Ring Signature (RS), introduced by Rivest, Shamir and Tauman [48], allows a signer to choose an arbitrary set of signers called a ring and anonymously sign a message on behalf of the ring providing that the signer himself is a member of the ring. Generating the signature does not require the cooperation of other members of the ring and hence they need not even be aware of their inclusion in the ring. Besides correctness, the security of ring signatures [48, 9] requires anonymity and unforgeability. Informally, anonymity requires that a signature does not reveal the identity of the ring member who produced it. On the other hand, unforgeability requires that an adversary cannot forge new signatures on behalf of an honest ring. In [9], the authors provide various variants of those requirements. We will prove the security of our constructions under the strongest definitions provided in [9]. Like group blind signatures [41], blind ring signatures extend blind signatures to the multi-signer setting. However, in contrast to the former, the latter provide more flexibility in the choice of the group as it is done in an ad hoc manner without requiring prior cooperation or join protocols. In addition, anonymity of the signer is not revocable. Besides the three security properties required from traditional ring signatures, the security of blind ring signatures requires blindness which informally states that members of the ring cannot learn which message is being signed on behalf of the ring. Also, they cannot match a signature to its signing session. Applications. For applications of ring signatures see, e.g. [48, 42, 24]. They were originally used for anonymous leaking of authoritative secrets. Another application of ring signatures are designated-verifier signatures [39].

2 Applications of blind ring signatures include distributed e-cash systems [41], where a client s e-coin is signed by a member of a coalition of banks chosen in an ad hoc manner. The choice of the coalition could be specified by either the issuing bank or the client himself. Other applications of the primitive include multi-authority e-voting, e.g. [22], and e-auction systems. Related Work. BLIND RING SIGNATURES. Only a few blind ring signature schemes [18, 53, 37, 54] were proposed. All of those constructions are secure in the Random Oracle Model (ROM) [8]. The scheme in [18] yields signatures of linear size and its security requires both random oracles and the generic group model [51]. In [53], the authors presented a static blind ring signature scheme that requires both random oracles and the generic group model. This scheme requires that the group (i.e. the ring) is fixed and hence it yields signatures of constant size. The schemes in [37, 54] also yield signatures of linear size. We note here that the blindness requirement of [37] was proven using a different game than the standard definition for blindness [40, 46] where the adversary only interacts once with the challenger and does not get to see the final signature. RING SIGNATURES. The original construction by Rivest, Shamir and Tauman [48] is based on trapdoor permutations and is secure in the random oracle model. Subsequently, other constructions relying on random oracles followed [5, 13, 38, 24, 43]. A few constructions which do not rely on random oracles were proposed. Bender et al. [9] gave a generic construction requiring generic ZAPs [25], making it inefficient. They also gave two constructions for two-signer rings. Other constructions which do not require random oracles include [50, 19, 15, 49, 16]. The constructions in [49, 16] use a weaker notion of unforgeability than the one we use in this paper. All existing constructions apart from [19] (which yields sub-linear size signatures in compositeorder groups in the Common Reference String (CRS) model) and [24, 43] (which yield signatures of constant size in the ROM) yield signatures of linear size. Motivation. All the existing blind ring signature schemes [18, 53, 37, 54] require random oracles. Since the random oracle is an assumption that cannot be realized securely in practice [17], many protocol designers strive for constructions in the standard model. Moreover, all existing constructions (apart from [53] in which the ring is static) yield signatures whose size grows linearly with the size of the ring. It is therefore desirable to design more efficient schemes. Furthermore, it is nowadays a common practice to base the security of cryptographic protocols on non-interactive complexity assumptions that are falsifiable [47]. In addition, most of the existing ring signature constructions which do not rely on random oracles are either specific to the (inefficient) composite-order bilinear group setting and/or yield signatures of linear size. The Challenges. The subtlety one faces when designing blind ring signatures lies in the dual privacy requirement: that is the dilemma of having parts of the witness of the same proof of knowledge coming from different parties who do not trust each other. On the one hand, the signer needs to hide his identity and parts of the signature that could identify him (i.e. the anonymity requirement). On the other hand, the user needs to hide the message and parts of the signature which could reveal the linkage between a signature and its signing session (i.e. the blindness requirement). One might consider addressing such an issue by resorting to secure multiparty computation, however, such an approach would massively degrade the efficiency of the resulting construction. Due to the nature of random oracles, in the random oracle model this obstacle is easier to tackle by, for instance, using divertible proofs of knowledge e.g. [23, 44]. In the standard model, the issue is more subtle. To get around this issue, we exploit some properties of Groth-Sahai proofs [35], namely: the randomizability of the proofs [7] and the ability to transform some proofs without knowledge of the original witness [32, 30]. This way we obtain the required divertibility needed to achieve the dual privacy requirement. 2

3 The second technical challenge is that unforgeability of ring-related signatures requires that the signature is bound to the ring in order to prevent the adversary from transforming a signature by some ring into a signature by a different ring. The scenario is more serious when the construction involves a malleable proof system such as the Groth-Sahai proof system which we use in our constructions. This is because the malleability of the proof system allows one to easily transform a proof for some statement into another proof for a related statement. When constructing ring signatures, one can easily bind the signature to the ring by simply signing both the message and the ring. For instance, this could be efficiently achieved by signing the hash of the concatenation of both the message and the ring. Unfortunately, this approach does not work in a blind signing protocol. That is because necessitating that the message remains hidden from the signer, one needs to prove that such hashing was applied correctly without revealing the message, which cannot be efficiently realized due to the complex structure of hash functions. To bind the signature to the ring w.r.t. which it was produced, we deploy a different approach. We use a signature scheme that simultaneously signs a pair of messages to construct a partially-blind signature scheme where we hide the actual message from the signer but we include the details of the ring as the public information shared between the user and the signer. The remaining challenge which is inherent even in traditional ring signatures is the size of the signatures. Almost all previous blind ring signatures e.g. [18, 37, 54] and most existing traditional ring signatures e.g. [9, 50, 15] yield signatures whose size grows linearly with the size of the ring. This limitation is usually inherited from the underlying OR proof used to prove that the signature verifies w.r.t. a verification key contained in the ring without revealing which one it is. In [19], the authors used some techniques from private information retrieval applications to construct a membership proof that has a sub-linear size. Unfortunately, their protocol is limited to the rather inefficient composite-order bilinear group setting. As a part of our contribution, we adapt their technique to the prime-order setting and thus we construct a sub-linear size set membership proof that works in the 3 different settings of prime-order bilinear groups. Although this on its own is not a major contribution, it is of independent interest as we believe it could have further applications beyond the scope of this paper. Our Contribution. Our main contribution is the first blind ring signature schemes that do not rely on idealized assumptions. This solves a problem that remained open since 2006 [37]. To realize our constructions efficiently, we instantiate the idea used for the membership proof from [19] in the prime-order bilinear group setting. All our constructions yield signatures of sub-linear size and thus are shorter than those of previous constructions. In addition, our schemes meet stronger security requirements than those used for previous constructions, and their security is based solely on falsifiable complexity assumptions. We note here that it is still an open problem to get a ring signature scheme with constant-size signatures in the standard model and hence we believe that our constructions are efficient. Our final contribution is a generic construction that combines our set membership proof with any signature scheme in the standard model satisfying some properties to get sub-linear size ring signatures without random oracles. Again, our focus is on constructions in the efficient prime-order bilinear group setting. Paper Organization. The rest of the paper is organized as follows: In Section 2, we give some preliminary definitions. In Section 3, we define blind ring signatures and present their security definitions. In Section 4, we present a new set membership proof. In Section 5 we present our blind ring signature constructions. Finally, in Section 6 we present our ring signature constructions. 2 Preliminaries Notation. Given a probability distribution S, we denote by x S the operation of selecting an element according to S. If A is a probabilistic machine, we denote by A(x 1,..., x n ) the output distribution of A on inputs (x 1,..., x n ). By p.p.t., we mean running in probabilistic polynomial time in the relevant 3

4 security parameter. By [1, n], we denote the set {1, 2,..., n}. A function v(.) : N R + is negligible in c if for every polynomial p(.) and all sufficiently large values of c, it holds that v(c) < 1 p(c). 2.1 Bilinear Groups A bilinear group is a tuple P := (G 1, G 2, G T, p, G, G, e) where G 1, G 2 and G T are groups of a prime order p and G and G generate G 1 and G 2, respectively. The function e is a non-degenerate bilinear map G 1 G 2 G T. We use multiplicative notation for all the groups although usually G 1 and G 2 are chosen to be additive. We let G 1 := G 1 \ {1 G1 } and G 2 := G 2 \ {1 G2 }. For clarity, elements from G 2 will be accented with. Following [31], we categorize prime-order bilinear groups into three main types: Type-1: This is the symmetric pairing setting in which G 1 = G 2. Type-2: G 1 G 2 but there is an efficiently computable isomorphism ψ : G 2 G 1. Type-3: Again G 1 G 2, but now there is no known efficiently computable isomorphism. We assume that all three groups are cyclic and that there is an algorithm BGrpSetup that takes as input a security parameter λ and a type tp {1, 2, 3} and outputs a description of bilinear groups of Type-tp. 2.2 Complexity Assumptions We will use the following assumptions from the literature: CDH. For a group G := G of a prime order p given (G, G a, G b ) G 3 for a, b Z p, it is hard to compute G ab. DDH. For a group G := G of a prime order p given (G, G a, G b, C) G 4 for a, b Z p, it is hard to decide whether or not C = G ab. Co-CDH [20]. In Type-2 bilinear groups given (G, G a, G, G b ) G 2 1 G2 2 for a, b Z p, it is hard to compute G ab. Co-CDH [20]. In Type-3 bilinear groups given (G, G a, G b, G, G b ) G 3 1 G2 2 for a, b Z p, it is hard to compute G ab. SXDH. The Decisional Diffie-Hellman (DDH) assumption holds in both groups G 1 and G 2. DLIN [12]. For Type-1 bilinear groups where G 1 = G 2 = G and G generates G, given the tuple (G a, G b, G ra, G sb, G t ) where a, b, r, s, t Z p are unknown, it is hard to tell whether t = r + s or t is random. q-sdh [11]. For a group G := G of a prime order p given (G, G x,..., G xq ) G q+1 for x Z p, it is hard to output a pair (c, G 1 x+c ) Zp G for an arbitrary c Z p \{ x}. WFCDH [29]. In symmetric bilinear groups, given (G, G a, G b ) G 3 for a, b Z p, it is hard to output a tuple (G r, G ra, G rb, G rab ) G 4 for an arbitrary r Z p. AWFCDH [29]. In asymmetric bilinear groups, given (G, G a, G) G 2 1 G 2 for a Z p, it is hard to output a tuple (G b, G ab, G b, G ab ) G 2 1 G 2 2 for an arbitrary b Zp. q-dhsdh [29]. In symmetric bilinear groups, given (G, H, K, G x ) G 4 for x Z p, and q 1 tuples (W i := (K G u i ) 1 x+v i, U 1,i := G u i, U 2,i := H u i, V 1,i := G v i, V 2,i := H v i ) q 1 i=1, where u i, v i Z p, it is hard to output a new tuple (W, U1, U 2, V 1, V 2 ) of this form. q-adhsdh [29]. In asymmetric bilinear groups, given (G, F, K, G x, G, G x ) G 4 1 G2 2 for x Z p, and q 1 tuples (W i := (K G u i ) 1 x+v i, U 1,i := G u i, Ũ2,i := G u i, V 1,i := F v i, Ṽ2,i := G v i ) q 1 i=1 for u i, v i Z p, it is hard to output a new tuple (W, U1, Ũ2, V 1, Ṽ2 ) of this form. 4

5 2.3 Groth-Sahai (GS) Proofs Groth and Sahai [35, 36] introduced a proof system in the CRS model that yields Non-Interactive Witness-Indistinguishable (NIWI) and Zero-Knowledge (NIZK) proofs. The system can be instantiated in composite-order or prime-order bilinear groups. The equations one can prove with the system are as follows where in the description X 1,..., X m, Y 1,..., Y n G, x 1,..., x m, y 1,..., y n Z p are secret variables (hence underlined), whereas A i, T G, a i, b i, k i,j, t Z p, t T G T are public constants. Note that in the asymmetric setting, there are two types of MSM equations depending on which group the elements belong to. Pairing Product Equation (PPE): n e(a i, Y i ) m i=1 Multi-Scalar Multiplication Equation (MSME): Quadratic Equation (QE) in Z p : i=1 j=1 n i=1 n e(x i, Y j ) k i,j = t T A y i i n a i y i + m x i b i + m i=1 The system consists of the following algorithms i=1 m m b X i i i=1 i=1 j=1 i=1 j=1 n x i y j = t n k X i,j y j i = T (GSSetup, GSProve, GSVerify, GSExtract, GSSimSetup, GSSimProve) Algorithm GSSetup takes as input the description of a bilinear group P and outputs a soundness reference string crs and an extraction key xk. GSProve takes as input a reference string crs, a witness and a set of equations, and outputs a proof Ω for the satisfiability of the equations. For clarity, we will underline the elements of the witness in the description of the equations. GSVerify takes as input a reference string crs, a proof Ω and a set of equations, and outputs 1 if the proof is valid or 0 otherwise. In the rest of the paper we will omit the set of equations from the input to the GSVerify algorithm. GSExtract takes as input a soundness reference string crs, the extraction key xk and a valid proof Ω, and outputs the witness used in the proof. GSSimSetup takes as input a bilinear group P and outputs a simulation string crs Sim and a trapdoor key tr that allows to simulate proofs. GSSimProve takes as input crs Sim and the simulation trapdoor tr and produces a simulated proof Ω Sim without a witness. The system works by first committing to the elements of the witness (using the algorithm GSCommit) and then producing a proof of satisfiability for each equation. If a witness component is involved in more than one source equation, the same commitment is re-used when verifying the proofs which makes the proofs correlated. The proofs come in two flavors: the soundness setting yields extractable proofs, whereas the simulation setting yields simulatable proofs. The system s security requires that the distributions of strings crs and crs Sim are indistinguishable and simulated proofs are indistinguishable from real proofs. As formalized by [7], GS proofs can be rerandomized by rerandomizing the associated GS commitments and updating the proofs accordingly so that we obtain fresh proofs that are unlinkable to the original ones. Rerandomizing a proof requires knowledge of neither the witness nor the associated randomness used in the original GS commitments. We define an algorithm GSRandomize which takes as input a CRS crs and a proof Ω, and outputs a proof Ω which is a randomized version of the proof Ω. The proof system has the following properties: Perfect Completeness: On a correctly generated CRS, crs, and a valid proof Ω, the algorithm GSVerify always accepts the proof. Perfect Soundness: On a correctly generated CRS, crs, it is impossible to generate a proof unless the equations are satisfiable (i.e. unless the prover knows a witness). Composable Witness-Indistinguishability: The CRS crs output by GSSetup is computationally indistinguishable from the CRS crs Sim output by GSSimSetup. Also, for any p.p.t. adversary A that 5

6 is given crs Sim and is allowed to choose any statement y and two distinct witnesses w 0 and w 1 for the statement y, the following probability is negligibly close to 1/2. Pr [ b {0, 1}; Ω GSProve(crs Sim, w b, y); b A(Ω) : b = b (w i, y) R for i = 0, 1 ] Composable Zero-Knowledge: Again, the CRS crs output by GSSetup is computationally indistinguishable from the CRS crs Sim output by GSSimSetup. In addition, we have for any p.p.t. adversary A that is given (crs Sim, tr) and is allowed to choose any (w, y) R that Pr [ Ω GSProve(crs Sim, w, y) : A(Ω) = 1 ] = Pr [ Ω Sim GSSimProve(crs Sim, tr, y) : A(Ω Sim ) = 1 ] Rerandomizability [7]: We have for all p.p.t. adversaries (A 1, A 2 ), the following probability is negligbly close to 1/2 (crs, xk) GSSetup(P); (w, y, Ω, state find ) A 1 (crs); Pr Ω 0 GSProve(crs, w, y); Ω 1 GSRandomize(crs, Ω); b {0, 1}; b A 2 (state find, Ω b ) : b = b GSVerify(crs, Ω) = 1 (w, y) R As shown in [7], GS proofs have composable randomizability, where randomizability holds even if we switch to the simulation setting. For more details on how the proof system can be instantiated in the different settings see [36, 34]. 2.4 (Partially) Blind Signatures Blind Signatures (BS) [21] allow a user to obtain a signature on a message hidden from the signer. Partially Blind Signatures (PBS) [3] are an extension of blind signatures where unlike blind signatures, part of the message to be signed is shared public information info which is known to both parties. The signing protocol in these schemes is interactive PBSObtain(pk, m, info), PBSSign(sk, info) between a user who knows a message m and a signer who possesses a secret signing key sk and both parties know the public information info. If the protocol is completed successfully, the user obtains a signature Σ on the message m and the information info. The security of partially blind signatures [6] is similar to that of blind signatures [40, 46] and consists besides correctness of blindness and unforgeability. Intuitively, blindness requires that an adversarial signer does not learn the message being signed and he cannot match a signature to its signing session. In the game, the adversary (modeling an adversarial signer) chooses two messages m 0 and m 1 and common information info and then interacts with the honest user who requests signatures on those messages in an arbitrary order unknown to the adversary. The same information info is used in both interactions. If completed successfully, the adversary gets the two final signatures and wins if it tells the order in which the messages were signed with a probability that is non-negligibly greater than 1/2. On the other hand, unforgeability deals with an adversarial user whose goal is to obtain k +1 distinct message/signature pairs after only k interactions w.r.t. the public information info with the honest signer. A Partially Blind Signature Scheme [29, 30]. In [29, 2], the authors gave a blind signature scheme whose security reduces to the DLIN, WFCDH and q-dhsdh/q-adhsdh assumptions in the symmetric setting or the SXDH, AWFCDH and q-adhsdh assumptions in the asymmetric setting. The message space of the scheme is M := {(G m, G m ) m Z p }. To get a partially blind scheme, we use a variant of their blind scheme based on the modified signature scheme from [30] whose message space is M Z p as highlighted in [30]. The high-level idea behind the scheme is that the user commits to his message and sends the commitment along with GS proofs to prove that it is well-formed to the signer. The signer uses his secret key 6

7 to produce a signature on the commitment and the public information info. When the user receives the signature, he uses the randomness he used in the commitment to modify the signature from one on the commitment to one on the message itself. The final signature is a set of GS proofs of knowledge of such a signature. The blindness of the scheme is ensured by the NIWI/NIZK properties of GS proofs and the fact that the first-round commitment is information-theoretically hiding. The scheme in the asymmetric setting is in given Figure 1. PBSSetup(1 λ ): PBSKeyGen(param PBS ): (G 1, G 2, G T, p, G, G, e) BGrpSetup(1 λ, 3). Choose a Z p and set A := G a and Ã := G a. P := (G 1, G 2, G T, p, G, G, e). sk := a, pk := (A, Ã). Return (sk, pk). (crs, xk) GSSetup(P). PBSVerify(pk, (M, M), Σ, info): F, K, L, T G 1. Parse Σ as Ω sig. Return param PBS := (P, crs, F, K, L, T ). Return 1 if GSVerify(crs, Ω sig ) = 1 Else Return 0. The signing protocol PBSObtain(pk, (M, M), info), PBSSign(sk, info) PBSObtain PBSSign Choose s Z p and compute S := G s, S := G s and C := M T s. Ω GSProve crs, (M, M, S, S), n e(m, G) = e(g, M) e(s, G) = e(g, S) e(m, G)e(T, S) = e(c, G) o. Send (C, Ω) to PBSSign. PBSSign PBSObtain Abort if GSVerify(crs, Ω) 1. Otherwise, choose u, v Z p and compute: U := G u, V := F v, W := (K T u C L info ) a+v 1, Ũ := G u, Ṽ := G v. Send σ := (W, U, Ũ, V, Ṽ ) to PBSObtain. PBSObtain Compute U := U S and Ũ := Ũ S. Abort if e(u, G) e(g, Ũ), e(f, Ṽ ) e(v, n G) or e(w, Ã Ṽ ) e(k M Linfo, G)e(T, Ũ). Ω sig GSProve crs, (V, Ṽ, W, U, Ũ), e(v, G) = e(f, Ṽ ) e(u, G) = e(g, Ũ) e(w, Ã Ṽ )e(t 1, Ũ) = e(k M Linfo, G) o. Output Σ := Ω sig. Fig. 1. The partially blind signature scheme (in the asymmetric setting) [29, 30] 2.5 Ring Signatures A ring signature is a tuple RS := (RSSetup, RSKeyGen, RSSign, RSVerify) of p.p.t. algorithms. Those algorithms are defined as follows; where to aid notation all algorithms (bar RSSetup and RSKeyGen) take as implicit input param RS (output by RSSetup): RSSetup(1 λ ) takes as input a security parameter λ and outputs common public parameters param RS. RSKeyGen(param RS ) takes as input param RS and outputs a pair of secret/public keys (sk, pk). RSSign(sk i, m, R) takes as input a secret key sk i, a message m M (where M is the message space) and a ring R := {pk 1,..., pk n } with the condition that pk i R and outputs a signature Σ on the message m. RSVerify(m, Σ, R) takes as input a message m, a ring signature Σ and a ring R and outputs 1 if the signature is on the message m w.r.t. ring R or 0 otherwise. The security properties required from ring signatures are informally as follows: Correctness: All honestly generated signatures are accepted by the RSVerify algorithm. Anonymity: An adversary cannot tell which ring member produced a signature. 7

8 Unforgeability: An adversary cannot output a valid signature Σ on a message m and w.r.t. an honest ring R unless the adversary obtained such a signature by querying the sign oracle on (m, R ). For detailed definitions and variants of those properties, we refer the reader to [9]. We use the strongest variants from [9], namely: anonymity under full key exposure and unforgeability against insider-corruption. 3 Blind Ring Signatures Definition 1 (Blind Ring Signatures). A Blind Ring Signature (BRS) is a tuple of p.p.t. algorithms (BRSSetup, BRSKeyGen, BRSObtain, BRSSign, BRSVerify). Those algorithms are defined as follows; where to aid notation all algorithms (bar BRSSetup and BRSKeyGen) take as implicit input param BRS (output by BRSSetup): BRSSetup(1 λ ) takes as input a security parameter λ and outputs public parameters param BRS. BRSKeyGen(param BRS ) is run by a signer Signer i to generate his pair of secret/public keys (sk, pk). BRSObtain(m, R), BRSSign(sk i, R) is an interactive two-party protocol between a user User and a signer in the ring R where pk i R. If the protocol completes successfully, User obtains a blind ring signature Σ on the message m. If any of the parties abort, User outputs. This protocol is initiated by a call to BRSObtain. The choice of the ring could be influenced by either the signer or the user. BRSVerify(m, Σ, R) verifies if the blind ring signature Σ is on the message m w.r.t. the ring R. A tuple BRS := (BRSSetup, BRSKeyGen, BRSObtain, BRSSign, BRSVerify) is a secure blind ring signature if it has correctness, anonymity, unforgeability and blindness which are defined as follows: Definition 2 (Correctness). A blind ring signature BRS is correct if for any λ N, any polynomial n( ), any {(pk i, sk i )} n(λ) i=1 output by BRSKeyGen, any message m in the message space M and any index i [1, n(λ)] if Σ is the output of the honest interaction BRSObtain(m, R), BRSSign(sk i, R) where R = {pk 1,..., pk n(λ) } then BRSVerify accepts the signature Σ. ANONYMITY. We use a strong definition for anonymity where we allow the adversary to use corrupt keys as well as obtaining the secret keys for the two challenge signers i 0 and i 1 and hence capturing security against full key exposure and adversarially-chosen keys [9]. Definition 3 (Anonymity). A blind ring signature BRS satisfies anonymity if for any λ N and polynomial n( ) the success probability of any p.p.t. adversary A in the following game is negligibly close to 1/2: 1. The challenger generates param BRS and key pairs {(pk i, sk i )} n(λ) i=1 using BRSKeyGen(param BRS). A is given param BRS and S := {pk i } n(λ) i=1. 2. Throughout the game, A has access to a sign oracle OSign with which it interacts to obtain signatures on messages and by signers in rings of its choice (providing that the signer s public key is in R and S). A can also ask for the secret key of any signer to be revealed at any stage of the game. 3. A outputs two distinct indices i 0 and i 1 and a ring R with the only condition that pk i0, pk i1 R. It then interacts with the challenger to get a signature by signer Signer ib where b {0, 1}. 4. A outputs a bit b and succeeds if b = b. UNFORGEABILITY. Informally, a blind ring signature is unforgeable if the adversary cannot output a blind ring signature w.r.t. to a ring R of honest signers that was never produced by the sign oracle. Due to the blind nature of the signing protocol and as in standard blind signatures, we follow the (k, k + 1)- unforgeability definition [40, 46]. The following definition also protects against insider corruption [9]: 8

9 Definition 4 (Unforgeability). A blind ring signature BRS is unforgeable if for any λ N, and polynomial n( ) the success probability of any p.p.t. adversary A in the following game is negligible: 1. The challenger generates param BRS and key pairs {(pk i, sk i )} n(λ) i=1 using BRSKeyGen(param BRS). A is given param BRS and S := {pk i } n(λ) i=1. 2. Throughout the game, A has access to the same oracles as in the anonymity game (Definition 3). 3. A outputs k+1 pairs of message/signature {(m i, Σ i )} k+1 i=1, and a ring R. A wins if all the following conditions hold: (a) All k + 1 signatures verify correctly (w.r.t. ring R ) and all the messages are distinct. (b) All members of the ring R are honest. (c) A engaged in at most k interactions with the sign oracle w.r.t. ring R. Note that our definition above is not of strong unforgeability, i.e., we do not require that the adversary cannot output a new signature on an old message. BLINDNESS. Informally, a blind ring signature is blind if an adversary (modeling a dishonest behavior of signers in the ring) does not learn the message it is signing. Moreover, it cannot link a signature to its signing session. Definition 5 (Blindness). A blind ring signature BRS satisfies blindness if for any λ N and polynomial n( ) the success probability of any p.p.t. adversary A in the following game is negligibly close to 1/2: 1. The challenger generates param BRS and sends it to A. 2. A outputs a ring R (the keys of which are possibly adversarially chosen) and two messages m 0 and m The honest user interacts with the adversary concurrently to get signatures on those two messages in an arbitrary order unknown to the adversary by choosing a bit b {0, 1}. A is sent the signatures Σ b, Σ 1 b. If any of the interactions did not finish or any of the signatures do not verify w.r.t. R, A is not informed about the other signature. 4. A outputs a bit b and wins if b = b. As noted by [37], since the ring is public, it is a natural requirement that the two challenge signatures are signed w.r.t. the same ring. Otherwise, blindness can be trivially broken if different rings were used. Unlike the blindness definition used in [37], which does not give the final challenge signatures to the adversary, we give the adversary the two final signatures. This is important because blindness should capture the case that a blind signature is not linkable to its signing session. Take, for example, the e-cash application where the issuing bank eventually gets to see the coins when they are deposited. Also, unlike [37], our definition allows the adversary to use corrupt keys of its choice which again provides a strong definition of blindness [1, 45]. 4 Sub-linear Size Set Membership Proof over Prime-Order Groups In this section we construct a non-interactive set membership proof. The proof allows a prover to prove that a value X γ is contained in some set {X 1,..., X N } G N. Our construction is based on the underlying idea of the proof in [19] which is specific to the composite-order bilinear group setting and is based on the subgroup decision assumption [14]. Unlike the proof in [19], our proof is more general and works in both composite-order and prime-order bilinear groups. However, for efficiency reasons our focus is on the prime-order setting. We provide different instantiations over the 3 main types of the prime-order setting as summarized in Table 1. We note that it might also be possible to use the recent techniques, e.g. [28], for translating composite-order based protocols to the prime-order setting to obtain a variant of the original protocol in [19] in the prime-order setting. 9

10 The idea from [19] is to represent the set by a square n n matrix where n = N. If N is not square, we can repeat X 1 as many times as required to obtain a set whose size is square. As we will see, this does not affect the complexity of the proof. The prover knows a secret value X γ and wants to produce a non-interactive proof that such a value is contained in a square n n matrix X without revealing the secret value. Thus, we construct a proof for the statement Ω mem := PoK{(X γ G) : X γ X}, where the matrix is X = X 1,1 X 1,2... X 1,n X n,1 X n,2... X n,n For ease of composition, the proof we give here is in the symmetric setting and is based on the DLIN assumption and can be instantiated in the asymmetric setting as summarized in Table 1. Let (G, G T, p, G, e) be a description of symmetric bilinear groups. We summarize the proof in the following steps where we assume that X γ = X α,β (i.e. X γ lies in row α and column β) and crs is the reference string used for the proof system: 1. The prover chooses 2 secret binary vectors y, z {0, 1} n as follows { { 1 if i = α, 1 if i = β, y i = z 0 if i α i = 0 if i β The vectors y, z will be used to anonymously single out the row and the column containing the secret value, respectively. The prover first needs to prove that each element of those vectors has a value {0, 1} which is done by the following QE proofs Ω yi GSProve ( crs, (y i ), { y i (y i 1) = 0 }), Ω zi GSProve ( crs, (z i ), { z i (z i 1) = 0 }) Additionally, the prover needs to prove that each vector contains only a single value of 1. This could be achieved by generating two extra proofs for the equations n i=1 y i = 1 and n i=1 z i = 1, respectively, which only adds two linear QE proofs and no extra commitments to the complexity. Alternatively, if witness-indistinguishability is sufficient, one can prove this for free by exploiting the homomorphic property of GS commitments (which are ElGamal ciphertexts [26] in the SXDH instantiation and Linear ciphertexts [12] in the DLIN instantiation). Thus, by choosing the GS randomness used for committing to one of those GS commitments to be the inverse of the sum of the corresponding randomness used for committing to the remaining values in the vector and then by multiplying the GS commitments to the values in each vector, the randomness cancels out and we can recover the sum of the values in the vector which allows the verifier to verify such a claim. Let C yi GSCommit(y i, τ yi ) and C zi GSCommit(z i, τ zi ) be the GS commitments used in committing to y i and z i, respectively. We set τ yn := n 1 i=1 τ y i and τ zn := n 1 i=1 τ z i. Note that since the randomness τ y1,..., τ yn 1 and τ z1,..., τ zn 1 is chosen uniformly, the randomness τ yn and τ zn is also uniform. The verifier can verify that indeed each vector contains only a single value of 1 by checking that n i C y i = n i C z i = GSCommit(1, 0), i.e. the product is equal to a trivial GS commitment to 1. In total, this step requires 2n GS commitments and 2n QE proofs. 2. The prover anonymously singles out the row containing his secret value. To do so, for each column j in the matrix compute X α,j := n i=1 Xy i i,j. Note that X α contains the messages in row α of the matrix X. The prover generates the following MSME proofs to prove that each X α,j was computed correctly ( { n }) Ω Xα,j GSProve crs, (X α,j, y 1,..., y n ), X y i i,j X 1 α,j = 1 i=1 10

11 3. Finally, the prover proves that the value X γ is contained in the secret vector X α. This is achieved by the following MSME proof ( { n }) Ω Xγ GSProve crs, (X γ, X α,1,..., X α,n, z 1,..., z n ), X z i α,i X 1 γ = 1 The membership proof is Ω mem := (( ) ( )) C y, C z, C Xα, C Xγ, Ωy, Ω z, Ω Xα, Ω Xγ. To verify the proof, the verifier verifies the proofs Ω yi, Ω zi, Ω Xα,i for all i [1, n] and Ω Xγ and additionally checks that n i C y i = n i C z i = GSCommit(1, 0). Note that when the proof is instantiated over asymmetric bilinear groups we need to commit to the vectors y and z in both groups G 1 and G 2 and provide a proof of their equality. Theorem 1. The set membership proof is correct, sound and zero-knowledge. Proof. Correctness and soundness follow from the correctness and soundness of GS proofs and the fact that by checking that n i C y i = GSCommit(1, 0) and n i C z i = GSCommit(1, 0), the verifier ensures that only one non-zero value is contained in each vector. The witness-indistinguishability of the membership proof also follows from that of GS proofs. When zero-knowledge is required, all the equations we prove (which are of types QE and MSME) are simulatable at no extra cost. Simply by using trivial witnesses (i.e. 0 for exponent values and 1 for group elements), we can simulate all the proofs. Thus, the proof is zero-knowledge. Complexity of the Proof. We summarize in Table 1 the size (in group elements) of the proof in the different GS instantiations. i=1 Component/Instantiation DLIN DDH G 1 + DLIN G2 SXDH G 1 G 2 G 1 G 2 GS Commitments 9n + 3 4n 9n + 3 4n 6n + 2 GS proofs 21n n n n n + 2 Total 30n n n n n + 4 Table 1. Complexity of the proof We note here that in the asymmetric setting, the total size of the proof is irrespective of whether the set is in G N 1 or GN 2. Although the size of the commitments and proofs are swapped between the two cases, the total size remains the same. To speed up verification, one can apply batch verification techniques [33, 10] to Groth-Sahai proofs. 5 Blind Ring Signature Construction Overview of the Construction. Some of the recent round-optimal blind signature constructions e.g. [4, 29] are instantiations of Fischlin s generic construction [27], and combine the GS proof system with commitment and signature schemes that are compatible with one another. The latter is referred to as structure-preserving signatures [2]. In Fischlin s construction, the user sends a commitment to the message to the signer who in turn returns a signature on the commitment. The user then constructs the final blind signature by encrypting both the signature and the commitment and providing a NIZK proof of knowledge that the signature is valid on the commitment and that the commitment is to the message in question. We exploit some properties of GS proofs. First, the rerandomizability of the proofs [7]. Second, that they are independent of the public terms in the equations being proven [32, 30], which as shown by [32], 11

12 allows transforming GS NIWI proofs into new NIWI/NIZK proofs by adding some/all of those public terms to the witness without knowledge of the original witness. The latter property was used by [32] to construct a group blind signature scheme. Additionally, we require that: 1. The verification equations of the signature scheme has the form that all the monomials (e.g. the pairing in the case of PPE equations) involving the message are independent of the signing key, i.e. they involve neither the verification key nor any signature component that depends on the signing key so that we can exploit the second property above. An example scheme satisfying this condition is the automorphic scheme from [29]. 2. The signature scheme signs n + 1 group elements or n group elements and an integer where n is the size (in group elements) of the commitment so that we bind the signature to the ring. To this end, we require a collision-resistant hash function H : {0, 1} M SIG to map the ring into the message space of the signature scheme. The high-level idea of our generic construction is as follows: The user sends a commitment to the message to the signer. The signer signs the commitment along with the ring information and instead of sending the signature to the user in the clear, sends a GS proof of knowledge Ω sig of his public key and the signature σ such that the signature is on the public commitment to the message and that it verifies w.r.t. to the signer s public key. In order to reduce the communication overhead, one does not need to hide the whole signature and it is sufficient to just hide the components which depend on the secret key. One might additionally need to hide other parts of the signature to ensure that the proof is in a transformable form. In addition, using the set membership proof from Section 4, the signer generates a proof Ω mem to prove that his public key is in the ring. The signer sends proofs Ω sig and Ω mem plus any remaining public components of the signature to the user. If the proofs are valid, the user first rerandomizes the proofs Ω sig and Ω mem (and their GS commitments) into Ω sig and Ω mem, respectively. The new proofs are now unlinkable to the original ones. Additionally, he transforms the NIWI proof Ω sig into a NIZK proof by adding the commitment to the message and the remaining public components of the signature (if any) to the witness of the proof. Finally, the user adds a NIZK proof Ω com to prove that the commitment is indeed to the message. The final blind ring signature is a set of GS proofs (Ω sig, Ω mem, Ω com ) and their associated GS commitments. It is vital that the proofs are correlated, i.e. proofs Ω sig and Ω mem involve the same public key, and proofs Ω sig and Ω com involve the same commitment. Thanks to the nature of GS proofs, in our instantiations this correlation is directly realized by sharing the same GS commitment for those shared components of the witness between the proofs. Anonymity is ensured by the NIWI/NIZK properties of the proofs and the fact that any remaining public components of the signature the user sees are independent of the signer s key. Blindness follows from the properties required by Fischlin s generic construction plus the composable rerandomizability [7] of the GS proof system. Finally, unforgeability is reduced to the unforgeability of the underlying signature scheme, the soundness of the proofs, the binding property of the commitment scheme, and the collision-resistant property of the hash function. Efficient Instantiation. In order to get an efficient construction, we will base our signing protocol on a variant of the blind signing protocol from [29] using the signature scheme from [30] which has a short public key and is capable of signing a pair of group elements and an integer. Thus, obtaining a partially blind signing protocol as illustrated in Figure 1. We note here that the blind signature in [29] deviates from Fischlin s generic construction [27] for blind signatures in that the final signature is on the message itself rather than its commitment and it requires proofs of knowledge in the signature request protocol. To obtain a blind ring signature on the message (M, M) G 1 G 2, the user commits to the message using Pedersen commitment C := M T s for some random s Z p and computes S := G s and S := G s. He then sends the commitment C along with GS proofs of knowledge Ω to prove that: 12

13 Setting Signature Size Assumptions Type-1 G 30n+42 DLIN, q-adhsdh and WFCDH Type-2 G 16n G 24n+30 2 DDH G1, DLIN G2, q-adhsdh and AWFCDH Type-3 G 16n G 16n+20 2 SXDH, q-adhsdh and AWFCDH Table 2. Size of the blind ring signature in the different instantiations the commitment C is indeed to the message M and that the message and the randomness pairs are well-formed. The signer first verifies the proofs and if they are valid, produces a signature σ := (U, Ũ, V, Ṽ, W ) on the commitment C and the public integer H(R) (for some collision-resistant hash function H : {0, 1} Z p ) using the variant of the automorphic signature scheme [29] as in [30]. However, instead of sending the signature in the clear, the signer sends a GS proof of knowledge Ω sig of his public verification key (A, Ã) and the signature σ such that the signature verifies w.r.t. his key. Since the components U and Ũ of σ are independent of the signing key, we need not hide them. Additionally, the signer generates a proof of membership Ω mem to prove that his key is in the ring. The signer s response is (Ω sig, Ω mem, U, Ũ ). The user first verifies the GS proofs Ω sig and Ω mem, and that the pair (U, Ũ ) is well-formed. If they are valid, the user rerandomizes those proofs into Ω sig and Ω mem, respectively, using the algorithm GSRandomize. The new proofs are unlinkable to the original ones. The user then transforms the proof Ω sig by making the signature verifiy w.r.t. to the message itself rather than its commitment: he computes U := U S and Ũ := Ũ S, and transforms the last equation in Ω sig from e(w, Ã Ṽ ) = e(k C L H(R), G)e(T, Ũ ) into e(w, Ã Ṽ )e(t 1, Ũ) = e(k M LH(R), G). In addition, he hides the components (U, Ũ) by adding a proof for the equation e(u, G) = e(g, Ũ). The final blind ring signature is Σ := (Ω sig, Ω mem ). The detailed construction in the asymmetric setting is as follows: BRSSetup(1 λ ): Run P BGrpSetup(1 λ, 3) and (crs, xk) GSSetup(P). Parse P as (G 1, G 2, G T, p, G, G, e). Choose a suitable collision-resistant hash function H : {0, 1} Z p and F, K, L, T G 1. Set param BRS := (P, crs, H, F, K, L, T ). Return param BRS. BRSKeyGen(param BRS ): Choose a Z p and set A := G a and Ã := G a. Set sk := a, pk := (A, Ã). Return (sk, pk). The signing protocol BRSObtain((M, M), R), BRSSign(sk, R) is in Figure 2. BRSVerify((M, M), Σ, R) Parse Σ as (Ω sig, Ω mem ). Return 1 if GSVerify(crs, Ω mem ) = 1 and GSVerify(crs, Ω sig ) = 1. Otherwise, return 0. Theorem 2. The construction is a secure blind ring signature scheme. The full proof is in Appendix A. Efficiency of the Construction. As mentioned earlier, our construction is the first realization in the standard model and also the first to offer sub-linear signatures instead of linear ones. Table 2 summarizes the size of the signature as well as the required assumptions for the different instantiations. Type-1 instantiation uses the DLIN instantiation of GS proofs, Type-2 uses GS proofs based on DDH in G 1 and DLIN in G 2 as used in [34], and Type-3 uses the SXDH instantiation of the proofs. To give example concrete figures, we consider a security level equivalent to 128-bit symmetric key security. For a ring consisting of 10,000 members, the Type-1 instantiation, where the size of elements of group G is 512 bits, yields signatures of size of approximately 190 kb. At the same security level in the asymmetric setting where elements of G 1 are of size 256 bits and those of G 2 are of size 512 bits, the signature size is 203 kb and 152 kb in the Type-2 and Type-3 instantiations, respectively. Again, the verification of the signature can be made more efficient by batch verifying Groth-Sahai proofs [33, 10]. 13

14 BRSObtain BRSSign Choose s Z p and compute S := G s, S := G s and C := M T s. Ω GSProve crs, (M, M, S, S), n e(m, G) = e(g, M) e(s, G) = e(g, S) e(t, S)e(M, G) = e(c, G) o. Send (C, Ω) to BRSSign. BRSSign BRSObtain If GSVerify(crs, Ω) 1 Then Abort(). Choose u, v Z p and set U := G u, V := F v, W := (K T u C L H(R) ) a+v 1, Ũ := G u, n Ṽ := G v. Ω sig GSProve crs, (V, Ṽ, W, Ã), e(v, G) = e(f, Ṽ ) e(w, Ã Ṽ ) = e(k C LH(R), G)e(T, o Ũ ). o Compute the membership proof Ω mem GSProve crs, nã (Ã), RÃ. 1 Send (Ω sig, Ω mem, U, Ũ ) to BRSObtain. BRSObtain Abort if e(u, G) e(g, Ũ ), GSVerify(crs, Ω sig) 1 or GSVerify(crs, Ω mem) 1. Compute U := U S and Ũ := Ũ S. Ω sig GSRandomize(Ω sig), Ω mem GSRandomize(Ω n mem) and transform Ω sig as follows: Ω sig GSProve crs, (V, Ṽ, W, Ã, U, Ũ), e(v, G) = e(f, Ṽ ) e(u, G) = e(g, Ũ) e(w, Ã Ṽ )e(t 1, Ũ) = e(k M LH(R), G) o. Output Σ := (Ω sig, Ω mem). Fig. 2. The signing protocol 6 Generic Construction of Ring Signatures over Prime-Order Bilinear Groups Here we provide a generic construction for ring signatures without random oracles by combining the set membership proof from Section 4 with any compatible signature scheme. Let Sig := ([SigSetup], SigKeyGen, SigSign, SigVerify) be an existentially unforgeable signature scheme secure against adaptive chosen-message attack that works in any of the 3 main types (cf. Section 2.1) of prime-order bilinear groups. Let M Sig be its message space, (sk, pk) be its key pair and σ := (σ 1,..., σ n ) be its signatures for some positive integer n with the condition that for any i [1, n], σ i is a group element if it depends on sk. 2 Our construction is as follows: RSSetup(1 λ ): Run P BGrpSetup(1 λ, tp) for tp [1, 3], (crs, xk) GSSetup(P). Choose a collision-resistant hash function H : {0, 1} M Sig. The public parameters is then param RS := (P, crs, H). Note that if Sig requires setup, then the output of SigSetup is also added to param RS. RSKeyGen(param RS ): Run SigKeyGen to obtain (sk, pk). RSSign(sk i, m, R): To sign a message m {0, 1} w.r.t. a ring R := {pk 1,..., pk N } with the condition that pk i R, run σ SigSign(sk i, H(m, R)). Then generate the following two Groth- Sahai proofs where σ is the subset of σ which depends on the secret key sk. Ω sig GSProve{crs, (pk i, σ), {SigVerify(pk i, H(m, R), σ) = 1}}, Ω mem GSProve{crs, (pk i ), {pk i R}}. The ring signature is then Σ := (Ω sig, Ω mem, {σ} \ { σ}). Again, the two proofs must be correlated, i.e. they involve the same public key pk i. This is checked by ensuring that both proofs use the same GS commitment to pk i when verifying the signature. 1 We only prove membership for one component of the key. The verifier can verify that all keys in the ring are well-formed. Alternatively, one can add a proof for the equation e(a, G) = e(g, Ã). It is a matter of trade-off between communication and computation. 2 Unlike structure-preserving signatures [2], we do not require that the messages are group elements. 14

Essam Ghadafi CT-RSA 2016

Essam Ghadafi CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND